The Marriott Data Breach and the Cyber Kill Chain

In the latest stunning security breach, this one disclosed by Marriott, the personal data of 500 million customers has been compromised. Of even greater concern is the fact that the hackers had penetrated and moved freely within the hotel giants’ systems for nearly four years leading up to the discovery. And while one might assume that a breach of this magnitude had to be the result of a highly sophisticated and complex plan, it was really quite simple.

For those familiar with the “Cyber Kill Chain,” the Marriott breach came down to two stages that the hackers used. “Reconnaissance” followed by the deployment of a “Command and Control” channel within Marriott’s reservation systems.

The cyber kill chain describes a sequence of seven stages attackers use to successfully infiltrate a network and exfiltrate data from it. Each stage demonstrates a specific goal along the attacker’s path. Enterprises and organizations are advised to use the kill chain as a guide for improving security infrastructure and minimizing risk. It is widely recognized in government circles and has spawned the “threat intelligence” industry fueled by the DoD and Intel communities.

In Marriott’s case, Reconnaissance meant the attackers were gathering information on Marriott’s reservation systems and databases before they actually gained access, most of this being publicly available information on the Internet. They did not install malware that could be quickly detected but instead gained access and created a Command and Control channel that allowed them peruse the assets remotely. This was achieved by accessing and taking control of a legitimate device in the reservation systems and then closing off any back doors to prevent Marriott security controls and vulnerability testing from detecting the breach.

The bad actors then watched and waited for opportunities access more valuable databases when that data was accessed by authorized users for whom they could see and steal their passwords and continue their access and encryption of that data undetected. Eventually, unauthorized activity was detected, and the discovery that data of 500 million customers had been encrypted and exfiltrated.

It could have easily been prevented if a different approach had been taken to secure the critical applications and data.

Software-Defined Perimeters (SDP) employ a Zero-Visibility approach by securing every connection to a service, application or critical infrastructure. It dynamically creates one-to-one connections between every authorized device, user and the data they access.

SDPs leverage a Zero-Trust approach so that anyone attempting to access a resource must “authenticate first.” All unauthorized resources are virtually invisible. This applies the principle of least privilege to the network and completely reduces the attack surface.

By default, users are not allowed to connect to anything – the opposite of traditional corporate networks, where once a user is given an IP address, they typically have access to everything on the network. Instead, SDPs ensure that once proper access criteria are met, a dynamic one-to-one connection is generated from the user’s machine to the specific resource needed. Everything else is completely invisible.

So when you consider Cyber Kill Chain “Reconnaissance,” SDP provides countermeasures by delivering proactive protection using the SPA packet and a “deny all” gateway. Even future reconnaissance mechanisms will be stopped with this approach.

And a “Command and Control” channel and the ability to steal encryption keys is virtually impossible based on SDP’s authenticate-first, deny all approach.

SDPs address the perimeter-less enterprise and is built on three core principles and should leveraged at every phase of the Kill Chain to maximize protection. Check back next week when we look at the Cyber Kill Chain and SDPs in more detail.